.p8 扩展名的文件是什么?(APNs Auth Key/JWT) [英] What is the file with .p8 extension? (APNs Auth Key / JWT)
问题描述
我认为这有点荒谬,但很难找到有关此文件的信息.我找到了很多有关如何获取此 Apple 推送通知身份验证密钥的信息,但我也想知道它到底是什么.
这是我找到的一些信息:
优点:
- 无需每年重新生成推送证书;
- 一个认证密钥可用于您的所有应用程序;
- 沙盒和生产环境相同.
来自 Apple 文档:><块引用>
基于令牌的提供者连接信任:提供者使用基于 HTTP/2 的 API 可以使用 JSON Web 令牌 (JWT) 来提供验证与 APNs 连接的凭据.在此方案中,您提供一个由 Apple 保留的公钥,以及您保留的私钥和保护.然后您的提供商使用您的私钥来生成和签署 JWT 提供者身份验证令牌.你的每一次推通知请求必须包含提供者身份验证令牌.
您可以在提供者和APNs 可以向所有应用程序发送推送通知请求捆绑 ID 列在您的在线开发者帐户中.
每个推送通知请求都会产生来自APNs,将成功或失败的详细信息返回给您的提供商.进一步检查基于令牌的提供商到 APNs 的信任部分.
问题:
- .p8 文件究竟是什么?
- 什么程序可以打开它?(钥匙串对我不起作用)
- 有没有办法把它转换成
.pem或.p12? - 为了不创建新主题而提出的一个小问题:服务器端使用 .p8 的方式是否与 .p12 相同,还是应该添加其他工具?
以下是我的研究现状:
APNS .p8 文件包含用于签署 APNS 消息的 JWT 内容的私钥.文件本身是纯文本文件,里面的KEY格式为PEM格式.
-----BEGIN PRIVATE KEY----- 和 -----END PRIVATE KEY----- 之间的部分是密钥本身的 base64 格式的 ASN.1 PKCS#8 表示.有些可以使用以下网络服务来提取其内容(ASN1JS).
KEY 本身的长度为 32 个字节,用于为 JWT 创建所需的 ECDSA P-256 SHA-256 签名.生成的 JWT 看起来像这样 '{JWT 标头 base64 编码}.{JWT 负载 base64 编码}.签名(64 字节)base64 编码'.
有很多网络服务可以解码此类令牌,但有些无法检查签名,因为相应的公钥未知(Apple 在提供私钥时会保密).
似乎公钥也包含在 .p8 文件中,它可以通过 OpenSSL 提取(并且在解码 ASN.1 内容时可见:520 位流).
<块引用>openssl ec -in AuthKey_123ABC4567.p8 -pubout -outAuthKey_123ABC4567_Public.p8
I think it is a little ridiculous but it's hard to find information about what is this file. I've found a lot info how to get this Apple Push Notification Authentication Key, but i also want to know exactly what is it.
Here is some info i have found:
Benefits:
- No need to re-generate the push certificate every year;
- One auth key can be used for all your apps;
- Same for sandbox and Production.
From Apple Docs:
Token-based provider connection trust: A provider using the HTTP/2-based API can use JSON web tokens (JWT) to provide validation credentials for connection with APNs. In this scheme, you provision a public key to be retained by Apple, and a private key which you retain and protect. Your providers then use your private key to generate and sign JWT provider authentication tokens. Each of your push notification requests must include a provider authentication token.
You can use a single, token-based connection between a provider and APNs can to send push notification requests to all the apps whose bundle IDs are listed in your online developer account.
Every push notification request results in an HTTP/2 response from APNs, returning details on success or failure to your provider. Further check Token-Based Provider-to-APNs Trust section.
Questions:
- What is actually the .p8 file?
- What programm can open it? (Keychain didn't work for me)
- Is there a way to convert it to
.pemor.p12? - A little flow-out question in order to not create a new topic: Does the server side operate with .p8 the same way as .p12 or it should be additional tools added?
The following is the state of my research:
The APNS .p8 file contains the PRIVATE KEY that is used to SIGN the JWT content for APNS messages. The file itself is a pure text file, the KEY inside is formatted in PEM format.
The part between the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- is a base64 formatted ASN.1 PKCS#8 representation of the key itself. Some can use the following web service to extract its contents (ASN1JS).
The KEY itself is 32 bytes long and is used to create the required ECDSA P-256 SHA-256 signature for the JWT. The resulting JWT looks like this '{JWT header base64 encoded}.{JWT payload base64 encoded}.Signature (64 bytes) base64 encoded'.
There are a lot of web services to decode such tokens, but some couldn't check the signature, as the corresponding PUBLIC KEY isn't known (Apple keeps it secret when providing the PRIVATE KEY).
EDIT: It seems, that the PUBLIC KEY is also included in the .p8 file, it can be extracted via OpenSSL (and is visible when decoding the ASN.1 content: the 520 bit stream).
openssl ec -in AuthKey_123ABC4567.p8 -pubout -out AuthKey_123ABC4567_Public.p8
这篇关于.p8 扩展名的文件是什么?(APNs Auth Key/JWT)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
